How the Claworc LLM Gateway Works

June 3, 2025Claworc Team

Tags:securityllmapi-keysarchitecture

One of the less obvious features of Claworc is the built-in LLM gateway. Here’s what it does and why it matters.

The credential problem

When you run OpenClaw on a server, the agent needs API keys — OpenAI, Anthropic, whatever providers you use. The naive approach is to put those keys directly in the container’s environment or config file.

That works fine for one instance. It breaks down at fleet scale:

• Every agent on every machine has a copy of your real keys.
• Rotating a key means touching every instance.
• If one container is compromised, the attacker has live credentials.
• You have no visibility into which instance is spending how much.

Virtual keys

Claworc’s gateway sits between your agents and the upstream LLM providers. Instead of handing each agent your real API key, Claworc issues it a virtual key — a synthetic credential that the gateway exchanges for the real one at request time.

Real credentials live only in the Claworc control plane, encrypted at rest. They never touch agent containers.

Per-instance revocation

Because each instance has its own virtual key, you can revoke access for one agent without affecting any other. You don’t need to rotate your upstream key or touch any other container.

This is useful when:

• An instance is misbehaving and you want to cut it off immediately.
• A team member leaves and you want to revoke their agent’s access.
• You’re doing a planned shutdown and want to prevent stray requests.

Usage dashboard

The gateway records every request — model, token counts, latency, instance ID. The usage dashboard lets you see exactly which agents are calling which models and what it’s costing, broken down by instance and time range.

Configuration

Enable the gateway in your Claworc config and point your OpenClaw instances at the control plane URL instead of the upstream provider URL. See the models overview for the full setup guide.